GDPR-compliant data processing terms between DataPanda and its users.
This Data Processing Agreement ("DPA") forms part of the agreement between Digimark GmbH ("DataPanda", "Processor") and you, the customer ("Controller"), and governs the processing of personal data in connection with the DataPanda service.
This DPA is incorporated into and subject to the Terms and Conditions. Capitalised terms not defined here have the meaning given in the Terms.
"Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
"Controller" means the natural or legal person that determines the purposes and means of processing personal data (i.e., you, the DataPanda customer).
"Processor" means Digimark GmbH, which processes personal data on behalf of the Controller.
"Sub-Processor" means any third party engaged by the Processor to process personal data.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
Digimark GmbH processes personal data on behalf of the Controller for the purpose of providing the DataPanda social media reporting service. The processing includes storage, analysis, and display of Instagram account data and any personal data contained within reports generated by the Controller.
The personal data processed may include: email addresses, Instagram account identifiers, Instagram public profile data (username, follower count, media metrics), and activity log data relating to the Controller's users. Data subjects are: the Controller (account holder), and optionally the Controller's own customers or clients whose Instagram data appears in shared reports.
Processing continues for the duration of the Controller's subscription to DataPanda, and thereafter for the period required to fulfil data deletion obligations as set out in the Data Deletion Policy.
Digimark GmbH agrees to:
The Controller provides general authorisation for Digimark GmbH to engage sub-processors. Current sub-processors include:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA (EU–US DPF) |
| Meta Platforms, Inc. | Instagram API data | USA (SCCs) |
| Cloud infrastructure provider | Database & application hosting | EU |
| Email delivery provider | Transactional email | EU / USA (SCCs) |
Digimark GmbH will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object. Objections must be raised within 14 days of notification.
Where personal data is transferred to countries outside the EEA, Digimark GmbH ensures appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses (SCCs) or reliance on adequacy decisions.
Digimark GmbH implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. See our Security Policy for details.
Digimark GmbH will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting the Controller's data, including the information required under GDPR Article 33(3) to the extent available.
Digimark GmbH will assist the Controller in responding to data subject rights requests by providing appropriate technical and organisational measures, insofar as this is possible given the nature of the processing.
Digimark GmbH will make available all information necessary to demonstrate compliance with GDPR Article 28 and allow for audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
This DPA is governed by the laws of the Federal Republic of Germany.
📧 DPA inquiries: hello@digimarkstudio.com
